Rockwell Automation Publication SAFETY-AT140A-EN-P - May 2015 5
Safety Function: Actuator Subsystems – Stop Category 1 via the PowerFlex 525 and PowerFlex 527 Drives with Safe Torque-off
The safety functions in this application technique each meet or exceed the requirements for Category 3, Performance
Level d (CAT. 3, PLd), per ISO 13849-1 and control reliable operation per ANSI B11.19.
Functional Safety Description
The Guardmaster dual-input safety relay, Guardmaster multifunction-delay expansion module, and PowerFlex drives with
integrated safe torque-off (STO) use 1oo2 architecture to achieve the PFH value that is used in the PL calculation
verification section of this document.
The Guardmaster dual-input safety relay monitors its safety inputs for valid status and faults. It monitors its internal
circuitry for proper operation and faults. The safety relay monitors its single wire safety (SWS) input/output (I/O) for
valid status and faults. It monitors its safety output contacts for proper, valid status and faults. When it receives a safety
demand on its inputs, or an invalid status or a fault is detected, the safety relay deactivates its safety outputs and sends a
safety stop command to the Guardmaster multifunction-delay expansion module via its L11 SWS.
The Guardmaster multifunction-delay expansion module monitors its SWS input for safety stop commands, valid status,
and faults. It monitors its internal circuitry for proper operation and faults. It monitors its safety output contacts for proper,
valid status and faults. When it receives a non-fault safety demand via its L12 SWS input, it deactivates its safety outputs in
the manner for which it is configured. In this document, the Guardmaster multifunction-delay expansion module is
configured to provide a 100 ms delay. In the event of an internal fault, or a fault signaled via the SWS, the Guardmaster
multifunction-delay expansion module immediately de-energizes its safety outputs.
The PowerFlex drive monitor its STO inputs for valid status and faults. The drive monitors its internal safety circuits for
valid status and faults. The drive monitors its outputs for valid status and faults. When the Guardmaster dual-input safety
relay de-energizes the drive STO inputs via the Guardmaster multifunction-delay expansion module, the drive's STO
feature forces the drive output power transistors to a disabled state. The hazardous motion controlled by the drive coasts to
a stop. This feature does not provide electrical power isolation.
The system cannot be restarted until the gate is closed and the Guardmaster dual-input safety relay is reset. Once the safety
relay is reset, the PAC-controlled Start button can be pressed to start the hazardous motion.
Hardwired STO Safe Torque Off Considerations for a Category 1 Stop
In the event of a malfunction, it is possible that stop category 0 may occur. When designing the machine application, timing
and distance must be considered for a coast to stop, as well as the possibility of the loss of control of a vertical load. The
nature of a malfunction causing this condition could be if a hardwired STO input to the drive were to go low (i.e. a wire
falls off ) before the drive has a chance to completely stop the motor. Use additional protective measures if this occurrence
might introduce unacceptable risks to personnel.
The vendor must provide probability of failure per hour (PFH) and all relevant functional safety data for all the subsystems of this
safety system necessary to prove that the overall safety functions meet the requirements for Performance Level d (PLd), per ISO
13849-1.
To Next Page
Loading...
Need help?
General
